A compliance threshold only matters when something crosses it. For three years, the EU AI Act’s 10^25 FLOP systemic risk line has been a regulatory design feature, a threshold in text, not a list of named systems. Epoch AI’s April 2026 Frontier Compute Report has turned the threshold into a roster.
Twelve models. Named frontier labs. Four months until the EU AI Act’s general application deadline. The abstract has become operational.
This impact assessment maps three things: what the threshold means in law, what it requires in practice, and what the organizations now in scope need to accomplish before August 2026. The regulatory text is confirmed. The obligations are active. The gap between where these organizations are and where Article 51 requires them to be is the variable this briefing is designed to help compliance teams assess.
The Threshold Map: What 10^25 FLOP Means Legally
The EU AI Act creates two compute-based classification layers for general purpose AI models.
The lower threshold, 10^23 FLOP, is the GPAI classification line. Cross it, and a model capable of generating language is regulated as general purpose AI, with associated obligations around transparency, technical documentation, and copyright compliance. The EU AI Act’s regulatory framework, confirmed by T1 EU sources, establishes this as the foundational classification layer. Most capable language models in commercial deployment today are above this line.
The upper threshold, 10^25 FLOP, is the systemic risk presumption line. Article 51 of the EU AI Act provides that models trained with more than 10^25 FLOP are automatically presumed to pose systemic risk. That word, presumed, is doing important legal work. Article 51 doesn’t determine that these models cause harm. It shifts the legal burden: the organization developing or deploying the model must demonstrate it doesn’t pose systemic risk, rather than regulators having to prove it does. The presumption can be rebutted. But the burden is on the developer.
Epoch AI’s April 2026 data, drawn from its public notable models database, indicates 12 models have now crossed this upper threshold. The frontier labs represented include OpenAI, Google, Anthropic, Meta, and Mistral, confirmed by multiple independent analyses as the organizations operating at this compute scale. This list is representative, not exhaustive.
Who’s in Scope, and What “In Scope” Actually Means
Being above the 10^25 FLOP threshold doesn’t mean an organization is being investigated or has been found in violation of anything. It means three things, in legal terms:
First, the systemic risk presumption applies. The organization’s model is legally presumed, by operation of Article 51, to pose systemic risk to the EU, its institutions, or fundamental rights.
Second, enhanced GPAI obligations activate. The systemic risk tier carries obligations beyond those imposed on GPAI models below the threshold. These include adversarial testing requirements, incident reporting to EU authorities, and model evaluation against state-of-the-art benchmarks.
Third, the organization is subject to direct regulatory supervision at the systemic risk tier ahead of, and after, the August 2026 general application deadline. For organizations with EU market exposure, this is not an optional compliance track.
The five frontier labs named above have each publicly disclosed AI systems trained at the relevant compute scale. What their current compliance posture looks like against the specific Article 51 obligations is not public information.
The Obligations: What Article 51 Systemic Risk Classification Actually Requires
The EU AI Act’s systemic risk tier obligations are more extensive than those applying to standard GPAI models. Based on the regulation’s confirmed text, organizations with models above the 10^25 FLOP threshold face the following requirements:
Adversarial testing. Organizations must conduct, or commission, adversarial testing of their models. This isn’t standard QA. Adversarial testing at this tier means structured attempts to elicit harmful outputs, test the model’s robustness against misuse, and identify systemic vulnerabilities before deployment. The methodology for this testing is expected to be further specified in implementing regulations ahead of August 2026.
Incident reporting. Organizations must report serious incidents or systemic risks identified in their models to the relevant national competent authority in the EU member state where they operate or have their EU establishment. The definition of “serious incident” for GPAI models at the systemic risk tier is one of the regulatory specifics compliance teams should be tracking closely, implementing guidance will sharpen this definition ahead of the application deadline.
Model evaluation. Organizations must conduct and document evaluations of their models against state-of-the-art benchmarks relevant to the capabilities and risks the model presents. These evaluations must be documented and made available to regulators. The European AI Office, the EU’s designated supervisory body for GPAI, is expected to publish further guidance on evaluation methodology before August 2026.
Technical documentation and cooperation. At the systemic risk tier, technical documentation requirements are more extensive than the standard GPAI level. Organizations must cooperate with the European AI Office, including providing access to models and documentation for assessment purposes upon request.
Notably, the obligations at the standard GPAI tier, transparency documentation, copyright policy, training data summary disclosure, remain applicable. Systemic risk classification adds to those requirements, it doesn’t replace them.
The August 2026 Clock, What’s Active Now vs. What Takes Effect Then
The EU AI Act’s general application deadline of August 2026 is four months away from this briefing’s publication date. The question compliance teams need to answer is: which obligations are already active, and which activate at the August deadline?
The GPAI Code of Practice, developed through a multi-stakeholder process involving frontier labs and civil society, is already shaping the compliance framework ahead of the formal August deadline. Organizations that participated in the Code of Practice process have been operating under its provisions as an anticipatory compliance mechanism. Those that haven’t should be tracking the Code’s current text as the closest available proxy for what August 2026 obligations will look like in practice.
As of April 2026, organizations with models above the 10^25 FLOP threshold should have, at minimum, completed an initial assessment of their model’s compute position relative to the threshold, identified the relevant national competent authority in their EU member state for incident reporting purposes, and begun scoping adversarial testing programs against EU AI Act methodology expectations.
Organizations that are treating August 2026 as the start date for compliance work, rather than the deadline for compliance readiness, are running out of runway.
The Projection Problem: What Happens When the Count Keeps Growing
Epoch AI projects that the number of models exceeding 1e26 FLOP will continue to grow through 2026 – a trend the company has characterized as a challenge for threshold-based regulatory design. The specific count projected for year-end 2026 at this higher threshold requires verification against Epoch AI’s full April report; the directional finding, more models crossing higher compute thresholds, is consistent with Epoch’s published trajectory data.
The regulatory design question this raises is consequential. If model counts above the systemic risk threshold grow faster than the European AI Office’s supervisory capacity, the presumption mechanism alone may not be sufficient. Regulators designed the threshold as a filtering tool, a way to concentrate oversight resources on the most powerful models. If dozens of models are eventually above the threshold, the filtering function weakens.
This is the medium-term policy question that the April 2026 data makes tangible. For now, with 12 models in scope, the EU AI Office’s supervision capacity is strained but arguably functional. The trajectory matters.
TJS Synthesis
The EU AI Act’s systemic risk tier is no longer a regulatory hypothesis. Epoch AI’s April 2026 data has put 12 models in scope, with more expected before year-end. For compliance teams at frontier labs, there are two immediate priorities.
The first is threshold confirmation: map your organization’s models against Epoch AI’s database and against the 10^25 FLOP threshold directly. If you’re above the line, you’re presumed to pose systemic risk under Article 51. That presumption is active, it doesn’t wait for August 2026.
The second is obligation readiness: audit your current compliance posture against the four categories, adversarial testing, incident reporting, model evaluation, and technical documentation – and identify where gaps exist. The August deadline is the enforcement clock. The readiness work should already be underway.
The contrast with the US federal approach is instructive. While the DOJ is using EO 14365 to preempt state AI laws in favor of a lighter national standard, the EU is moving in the opposite direction: binding obligations, regulatory presumptions, and active supervisory oversight for the most powerful models. Organizations operating frontier AI at global scale are navigating both environments simultaneously. That’s the compliance reality of 2026.